Este documento descreve os tipos de recursos e as políticas suportados na funcionalidade de validação de infraestrutura como código (IaC) no Security Command Center.
Tipos de recursos suportados
Segue-se a lista de Google Cloud tipos de recursos suportados:
artifactregistry.googleapis.com/Repositorybigquery.googleapis.com/Datasetbigquery.googleapis.com/Tablecloudfunctions.googleapis.com/CloudFunctioncloudkms.googleapis.com/ImportJobcloudkms.googleapis.com/KeyRingcloudresourcemanager.googleapis.com/Foldercloudresourcemanager.googleapis.com/Projectcomposer.googleapis.com/Environmentcompute.googleapis.com/Autoscalercompute.googleapis.com/BackendServicecompute.googleapis.com/Diskcompute.googleapis.com/Firewallcompute.googleapis.com/ForwardingRulecompute.googleapis.com/GlobalForwardingRulecompute.googleapis.com/HealthCheckcompute.googleapis.com/Instancecompute.googleapis.com/InstanceGroupcompute.googleapis.com/Networkcompute.googleapis.com/NodeGroupcompute.googleapis.com/NodeTemplatecompute.googleapis.com/ResourcePolicycompute.googleapis.com/Routecompute.googleapis.com/Routercompute.googleapis.com/Snapshotcompute.googleapis.com/SslCertificatecompute.googleapis.com/SslPolicycompute.googleapis.com/Subnetworkcompute.googleapis.com/TargetHttpProxycompute.googleapis.com/TargetHttpsProxycompute.googleapis.com/TargetPoolcompute.googleapis.com/TargetSslProxycompute.googleapis.com/UrlMapcompute.googleapis.com/VpnTunnelcontainer.googleapis.com/Clustercontainer.googleapis.com/NodePooldataflow.googleapis.com/Jobdatastream.googleapis.com/ConnectionProfiledatastream.googleapis.com/PrivateConnectiondatastream.googleapis.com/Streamdns.googleapis.com/ManagedZonedns.googleapis.com/Policyfile.googleapis.com/Instancegkehub.googleapis.com/Membershippubsub.googleapis.com/Subscriptionpubsub.googleapis.com/Topicrun.googleapis.com/DomainMappingrun.googleapis.com/Jobrun.googleapis.com/Serviceserviceusage.googleapis.com/Servicespanner.googleapis.com/Databasespanner.googleapis.com/Instancesqladmin.googleapis.com/Instancestorage.googleapis.com/Bucketvpcaccess.googleapis.com/Connector
As validações no campo disks[].initializeParams.sourceImage de compute.googleapis.com/Instance não são suportadas.
Políticas suportadas
Esta secção descreve as políticas suportadas pela validação de IaC.
Políticas da organização
Segue-se a lista de políticas da organização suportadas:
Allowed VPC egress settings(constraints/run.allowedVPCEgress)Disable Guest Attributes of Compute Engine metadata(constraints/compute.disableGuestAttributesAccess)Disable VM serial port access(constraints/compute.disableSerialPortAccess)Disable VM serial port logging to Stackdriver(constraints/compute.disableSerialPortLogging)Disable VPC External IPv6 usage(constraints/compute.disableVpcExternalIpv6)Require OS Login(constraints/compute.requireOsLogin)Restrict Authorized Networks on Cloud SQL instances(constraints/sql.restrictAuthorizedNetworks)Require VPC Connector (Cloud Functions)(constraints/cloudfunctions.requireVPCConnector)Disable VPC Internal IPv6 usage(constraints/compute.disableVpcInternalIpv6)Allowed ingress settings (Cloud Run)(constraints/run.allowedIngress)Enforce uniform bucket-level access(constraints/storage.uniformBucketLevelAccess)Skip creation of default Compute Network(constraints/compute.skipDefaultNetworkCreation)
Restrição personalizada da política da organização
Todas as restrições personalizadas das políticas da organização são suportadas. No entanto, não pode validar políticas organizacionais que incluam etiquetas.
Módulos personalizados do Security Health Analytics
Todos os módulos personalizados do Security Health Analytics são suportados.
Detetores incorporados da análise de saúde da segurança
Segue-se a lista de detetores incorporados suportados:
ALPHA_CLUSTER_ENABLEDAUTO_BACKUP_DISABLEDAUTO_REPAIR_DISABLEDAUTO_UPGRADE_DISABLEDBIGQUERY_TABLE_CMEK_DISABLEDBUCKET_CMEK_DISABLEDBUCKET_LOGGING_DISABLEDBUCKET_POLICY_ONLY_DISABLEDCLUSTER_LOGGING_DISABLEDCLUSTER_MONITORING_DISABLEDCLUSTER_SECRETS_ENCRYPTION_DISABLEDCLUSTER_SHIELDED_NODES_DISABLEDCOMPUTE_SECURE_BOOT_DISABLEDCOMPUTE_SERIAL_PORTS_ENABLEDCONFIDENTIAL_COMPUTING_DISABLEDCOS_NOT_USEDDATAPROC_CMEK_DISABLEDDATAPROC_IMAGE_OUTDATEDDEFAULT_SERVICE_ACCOUNT_USEDDISK_CMEK_DISABLEDDISK_CSEK_DISABLEDFIREWALL_RULE_LOGGING_DISABLEDFLOW_LOGS_DISABLEDFULL_API_ACCESSVPC_FLOW_LOGS_SETTINGS_NOT_RECOMMENDEDINTEGRITY_MONITORING_DISABLEDINTRANODE_VISIBILITY_DISABLEDIP_ALIAS_DISABLEDIP_FORWARDING_ENABLEDKMS_KEY_NOT_ROTATEDKMS_PUBLIC_KEYLEGACY_AUTHORIZATION_ENABLEDLEGACY_METADATA_ENABLEDLOAD_BALANCER_LOGGING_DISABLEDMASTER_AUTHORIZED_NETWORKS_DISABLEDNETWORK_POLICY_DISABLEDNODEPOOL_BOOT_CMEK_DISABLEDNODEPOOL_SECURE_BOOT_DISABLEDOPEN_CASSANDRA_PORTOPEN_CISCOSECURE_WEBSM_PORTOPEN_DIRECTORY_SERVICES_PORTOPEN_DNS_PORTOPEN_ELASTICSEARCH_PORTOPEN_FIREWALLOPEN_FTP_PORTOPEN_HTTP_PORTOPEN_LDAP_PORTOPEN_MEMCACHED_PORTOPEN_MONGODB_PORTOPEN_MYSQL_PORTOPEN_NETBIOS_PORTOPEN_ORACLEDB_PORTOPEN_POP3_PORTOPEN_POSTGRESQL_PORTOPEN_RDP_PORTOPEN_REDIS_PORTOPEN_SMTP_PORTOPEN_SSH_PORTOPEN_TELNET_PORTOVER_PRIVILEGED_ACCOUNTOVER_PRIVILEGED_SCOPESOVER_PRIVILEGED_SERVICE_ACCOUNT_USERPRIMITIVE_ROLES_USEDPRIVATE_CLUSTER_DISABLEDPRIVATE_GOOGLE_ACCESS_DISABLEDPUBLIC_BUCKET_ACLPUBLIC_COMPUTE_IMAGEPUBLIC_DATASETPUBLIC_IP_ADDRESSPUBLIC_SQL_INSTANCEPUBSUB_CMEK_DISABLEDREDIS_ROLE_USED_ON_ORGRELEASE_CHANNEL_DISABLEDRSASHA1_FOR_SIGNINGSERVICE_ACCOUNT_KEY_NOT_ROTATEDSHIELDED_VM_DISABLEDSSL_NOT_ENFORCEDSQL_CMEK_DISABLEDSQL_CONTAINED_DATABASE_AUTHENTICATIONSQL_CROSS_DB_OWNERSHIP_CHAININGSQL_EXTERNAL_SCRIPTS_ENABLEDSQL_LOCAL_INFILESQL_LOG_CHECKPOINTS_DISABLEDSQL_LOG_CONNECTIONS_DISABLEDSQL_LOG_DISCONNECTIONS_DISABLEDSQL_LOG_DURATION_DISABLEDSQL_LOG_ERROR_VERBOSITYSQL_LOG_EXECUTOR_STATS_ENABLEDSQL_LOG_HOSTNAME_ENABLEDSQL_LOG_LOCK_WAITS_DISABLEDSQL_LOG_MIN_DURATION_STATEMENT_ENABLEDSQL_LOG_MIN_ERROR_STATEMENTSQL_LOG_MIN_ERROR_STATEMENT_SEVERITYSQL_LOG_MIN_MESSAGESSQL_LOG_PARSER_STATS_ENABLEDSQL_LOG_PLANNER_STATS_ENABLEDSQL_LOG_STATEMENTSQL_LOG_STATEMENT_STATS_ENABLEDSQL_LOG_TEMP_FILESSQL_PUBLIC_IPSQL_REMOTE_ACCESS_ENABLEDSQL_SKIP_SHOW_DATABASE_DISABLEDSQL_TRACE_FLAG_3625SQL_USER_CONNECTIONS_CONFIGUREDSQL_USER_OPTIONS_CONFIGUREDUSER_MANAGED_SERVICE_ACCOUNT_KEYWEB_UI_ENABLEDWORKLOAD_IDENTITY_DISABLED